Beware: 'Digmine' Cryptocurrency Bot Is Spreading Via Facebook Messenger (techspot.com) 96
Cybersecurity firm Trend Micro has discovered a cryptocurrency bot that is being spread through Facebook Messenger. The bot, dubbed Digmine, was discovered in South Korea and has since been found in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. TechSpot explains: Victims receive a file named "video_xxxx.zip" from one of their Facebook Messenger contacts. Opening it will load Chrome along with a malicious browser extension. Extensions can only be downloaded from the Chrome Web Store, but this is bypassed using the command line.
Once the malware infects a system, a modified version of XMRig -- a Monero mining tool -- is installed. This mines the cryptocurrency in the background using a victim's CPU, sending all profits back to the hackers. Additionally, the Chrome extension is also used to spread Digmine. If someone has their Facebook account set to log in automatically, the fake video file link will be sent to all their friends via Messenger. The malware could also be used to take over a Facebook account entirely. The good news is that Digmine only works through the Chrome desktop version of Messenger. Right now, opening the malicious file via the Facebook/Messenger app or mobile webpage won't have the same effect. After Trend Micro revealed its findings, Facebook said it had taken down any links connected to Digmine.
Old school is best school (Score:3)
Mobile means we get to relive all the same attacks we saw decades ago.
Re:Old school is best school (Score:4, Interesting)
No, see, it's totally different. Chrome sandboxes extensions so this cannot possibly be an attack. Now I'm to run some more arbitrary JavaScript from the internet without being asked first or even told what's running</sacrasm>
Re: (Score:2)
Nope, sorry. This is malware so the packets are coming from inside the firewall. A miner doesn't wait for instructions it just mines and fires off the results.
Try again smartass. At least with the domains blocked they can't make any use of the malware.
Good firewalls block traffic in and out. It’s just that most people have crap firewalls.
Re: (Score:3)
It also doesn't do diddly squat for blocking URLs like https://translate.google.com/t... [google.com]
Nor domains where some content is good and some is evil. It's all or nothing.
Nor randomly generated hostnames like f359db86.evil.com where the attacker points *.evil.com to the same A/AAAA (with a simple 8 nibble address like this, you'd need 4,294,967,296 host names).
Nor if using a proxy server that doesn't have a host list, because the proxy server does the resolving.
Nor if using a resolver that doesn't have file as t
Re: (Score:2)
Randomly generated or not, once a hostname is blocked in hosts, it's blocked & I've even shown Tepples there are DGA lists (where names are generated thus) & I use them - so much for that bs from you.
bs from me?
A snippet of javscript code in a web page here shows:
var host = Math.random().toString(16).slice(2,10);
var domain = 'thrax.ru';
var url = 'https://' + host + domain + '/js/master.js';
How do you possibly block that with a host list without adding 4 billion entries? Answer HOW, please.
It should be obvious to anyone that it's using a hosts list that can't even handle wildcards like DNS can that's bs.
Re: (Score:2)
P.S.=> Who cares if hosts don't do wildcards? It's near ZERO EFFORT per my program PLUS?
To generate 4+ billion entries? Lol!
Re: (Score:2)
Even if you pay $1 per domain & get 255 subdomains over 4 billion, ROI = weak!
You don't get 255 subdomains. Confusing subdomains with class C subnets is worrying if you attempt to sell network-related software.
With a single domain, you get the choice to create as many hostnames and subdomains on the domain as you want. Any number of hostnames or subdomains on a domain won't cost a dime more. What makes this feasible is that DNS servers take wildcard requests. Unlike your hosts file, they don't need an entry for every host, but can use wildcards, like:
* IN A 123.45
Re: (Score:2)
1.) How much does 4 billion domains cost
You don't understand domain names at all. You don't need 4 billion domains. You need one, with any number of subdomains and hosts you want being free. 4 billion, 8 trillion, it doesn't matter. They're all yours for the price of a single domain.
2.) Does my approach work to STOP this threat??
Nope, it does not. That's the problem. You cannot block: ... where the first part is randomly generated.
1f873bb2fed1.hostname.com
2953bfe64711.hostname.com
These are legal domain names, by the way. Try them.
Because hosts doesn't take wildcards, you would have to
Re: (Score:2)
See subject (you lose in your theoretical bs too) 0.0.0.0 1f873bb2fed1.hostname.com & 0.0.0.0 2953bfe64711.hostname.com = blocked (up to whatever via DGA tracker lists have changing a source in my APKIniFile.ini (change back once loaded & blocked))
You completely miss the point. You blocked the two examples, but not the possible hosts. The entire point was that they were random. The host name part doesn't exist until generated, at which point it needs to be blocked. When a piece of js generates f4002db3688.hostname.com or any other random hostname in the .hostname.com domain, your hosts file does not have that never-before-seen hostname there.
And this is not just botnets as you seem to think - several ad trackers do the same these days, generating
Re: (Score:2)
Hilarious - HOW can botnet herders store "4++ BILLION ENTRIES" themselves if I can't?? How could a router??? How could DNS???
They don't need to, because they can use wildcards.
In my router, I can block access to all hosts under .domain.com or *.ru with:
content-filter common-list forbid
*.domain.com
*.evildomain.ru
In my DNS, I can add a section where I state that I'm authoritative for these domains when queried from internal domains, and put a wildcard entry for each domain I want to block the lookup of every host.
$ORIGIN domain.com.
* IN A 127.2
$ORIGIN evildomain.ru.
* IN A 127.2
"Botnet herders" (you still can't get
Re: (Score:2)
Well between my pfsense box in front of my modem, a smart switch behind the modem and a Pi-Hole box my Lan uses for dns I think I'm half assed alright. Any strangeness noticed, occasional paranoia or boredom, whichever it may be, then I do have a Kali box that only gets the network cable plugged in when Im actively using it, usually just for Wireshark nowadays. Since I haven't been quite as mischievous as I was in my youth in a long while...
Re: (Score:1)
It may be insensitive, and it's definitely offensive (as i believe it's supposed to be) but the fact is that in US prison populations, blacks outnumber latinos 2-1, and latinos outnumber whites by a further 2-1. The reasons for this are, to me, far more offensive than APK's comments, but are also way beyond the scope of what I wanted to point out. Sometimes the actual facts and figures agree with the numbers suggested by prejudice and stereotypes.
That doesn't really excuse APK's comments, but calling h
fb users' computers useful for once! (Score:2)
we should rejoice!
Beware: .zip (Score:2)
Try and find a better message app.
Chrome is a malware vector (Score:1)
Better stick with Edge
What's the problem again? (Score:2)
I can't see this being a problem for the /. crowd.
Really, who here uses Facebook Messenger, Google Chrome and open ZIP attachments?
Re: (Score:2)
Re: (Score:2)
End a file in mp4? html?
What draws in very average social media users?
A boring old html page?
A mp4 file? Thats a movie and as they know the personality of the sender it will be boring, safe for work.
Some security researcher, a person in social media middle management must have that stat? The file type link most users actually cl
...and double click a Microsoft Windows .exe file? (Score:1)
How does opening a .zip run the contents? Does the user also have to run the i-know-you-want-to-double-click-me.exe file?
Re: (Score:2)
How does opening a .zip run the contents? Does the user also have to run the i-know-you-want-to-double-click-me.exe file?
That's an easy one, you count on users trusting Windows. Since the start Windows has screwed users with extensions. Either hiding them or only showing the first encountered.
MyFile.zip.exe was very popular awhile back, it would show as a MyFile or Myfile.zip file, yet run as the hidden .exe file.
As for asking to run it, many have most likely tired of saying yes to the requester and disabled it.
Re:...and double click a Microsoft Windows .exe fi (Score:4, Informative)
How does opening a .zip run the contents? Does the user also have to run the i-know-you-want-to-double-click-me.exe file?
That's an easy one, you count on users trusting Windows. Since the start Windows has screwed users with extensions. Either hiding them or only showing the first encountered.
MyFile.zip.exe was very popular awhile back, it would show as a MyFile or Myfile.zip file, yet run as the hidden .exe file.
As for asking to run it, many have most likely tired of saying yes to the requester and disabled it.
The first thing I do when working on someone's computer is uncheck the box "Hide extensions of known file types".
Comment removed (Score:3)
Re: (Score:2)
Hack the malware (Score:2)